Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Fri, 27 Aug 2004 12:17:58 -0400
Yes, that's what I was looking for. Your policy does not explicitly state the password cracking technique, but you have had campus discussion on the policy? For us to create an IT policy here, there's at least 4 rounds of different committee review and approval. We'd have to explicitely state we were going to try to crack passwords, or the policy would not support the action. Theresa ---- Original message ----
Date: Sat, 28 Aug 2004 02:09:37 +1000 From: Christian Wilson <Christian.Wilson () its monash edu au> Subject: Re: [SECURITY] Password Cracking & Consequences To: Theresa M Rowe <rowe () oakland edu> Cc: SECURITY () LISTSERV EDUCAUSE EDU Theresa, On Fri, Aug 27, 2004 at 08:29:17AM -0400, Theresa M Rowe
wrote:
I just cannot imagine even trying that in our culture. I
am
surprise that this is being done at some organizations.
Can
you share more specifics about the process: What campus involvement did you get prior to making the decision - this couldn't have been just an IT decision. How did you market it? How did your faculty react?We have an IT Security Policy (everyone I believe can read
it, its located
at http://www.adm.monash.edu.au/unisec/pol/itec13.html). Things like cracking passwords/finding security
vulnerabilities and exposing
such vulnerabilities can be determined from our policy via
the following
clause: "10.2 Monitoring will be undertaken routinely by ITS
Authorized Staff in
the normal course of their duties to maintain technical
security and
operational efficiency of the system/service. Any
extraordinary action
taken to monitor IT services must be authorized by the
Executive
Director, ITS." So basically issues regarding technical security, the
cracking of usernames
and passswords would fall under this. Our IT Security Policy has been approved by the University
IT Policy group,
so thats how we can justify doing what you are asking. Perhaps things are different in Australia as opposed to the
US? I don't know?
I'd be interested in seeing what people on list think about
our policy.
Hope this helps Christian. -- Christian Wilson IT Security and Risk Manager, Infrastructure Services Information Technology Services, Monash University - Clayton Phone: +61 3 990 51187
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Lucas, Bryan (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Theresa M Rowe (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Eric Pancer (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
(Thread continues...)